Merge branch 'master' of https://github.com/fail2ban/fail2ban into ban-time-incr;

Conflicts in ChangeLog resolved; obsolete imports removed;
2014-06-19 17:40:00 +02:00 · 2014-06-19 17:40:00 +02:00 · ccf2521a6d
parent 6ecd7ddddf 94232d7c31
commit ccf2521a6d
12 changed files with 114 additions and 18 deletions
--- a/4
+++ b/4
@ -27,9 +27,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
   * Database now returns persistent bans on restart (bantime < 0)
   * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
     action
-   * Correct times for non-timezone date times formats - Thanks sebres
+   * Correct times for non-timezone date times formats during DST.
   * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
-     Thanks Serg G. Brester
+     Thanks Serg G. Brester (sebres)

 - New features:
   - Added monit filter thanks Jason H Martin.
--- a/4
+++ b/4
@ -49,6 +49,7 @@ John Thoe
 Jacques Lav!gnotte
 Ioan Indreias
 Jason H Martin
+Joel M Snyder
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood
@ -76,6 +77,7 @@ Michael Hanselmann
 Mika (mkl)
 Nick Munger
 onorua
+Paul Marrapese
 Noel Butler
 Patrick Börjesson
 Raphaël Marichez
@ -86,7 +88,7 @@ Rolf Fokkens
 Roman Gelfand
 Russell Odom
 Sebastian Arcus
-sebres
+Serg G. Brester (sebres)
 Sireyessire
 silviogarbes
 Stefan Tatschner
--- a/bin/fail2ban-regex
+++ b/bin/fail2ban-regex
@ -25,11 +25,11 @@ This tools can test regular expressions for "fail2ban".

 """

-__author__ = "Cyril Jaquier, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2013 Yaroslav Halchenko"
+__author__ = "Fail2Ban Developers"
+__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko"
 __license__ = "GPL"

-import getopt, sys, time, logging, os, locale, shlex, urllib
+import getopt, sys, time, logging, os, locale, shlex, time, urllib
 from optparse import OptionParser, Option

 from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
@ -223,6 +223,7 @@ class Fail2banRegex(object):
 		self._filter = Filter(None)
 		self._ignoreregex = list()
 		self._failregex = list()
+		self._time_elapsed = None
 		self._line_stats = LineStats()

 		if opts.maxlines:
@ -348,7 +349,7 @@ class Fail2banRegex(object):
 		return line, ret

 	def process(self, test_lines):
-
+		t0 = time.time()
 		for line_no, line in enumerate(test_lines):
 			if isinstance(line, tuple):
 				line_datetimestripped, ret = fail2banRegex.testRegex(
@ -383,6 +384,7 @@ class Fail2banRegex(object):

 			if line_no % 10 == 0 and self._filter.dateDetector is not None:
 				self._filter.dateDetector.sortTemplate()
+		self._time_elapsed = time.time() - t0



@ -456,7 +458,10 @@ class Fail2banRegex(object):
 						template.hits, template.name))
 			pprint_list(out, "[# of hits] date format")

-		print "\nLines: %s" % self._line_stats
+		print "\nLines: %s" % self._line_stats,
+		if self._time_elapsed is not None:
+			print "[processed in %.2f sec]" % self._time_elapsed,
+		print

 		if self._print_all_matched:
 			self.printLines('matched')
--- a/config/action.d/badips.py
+++ b/config/action.d/badips.py
@ -161,7 +161,7 @@ class BadIPsAction(ActionBase):
 				"/".join([self._badips, "get", "list", category, str(score)]),
 				urlencode({'age': age})])
 			if key:
-				url = "&".join([url, urlencode({"key", key})])
+				url = "&".join([url, urlencode({'key': key})])
 			response = urlopen(self._Request(url))
 		except HTTPError as response:
 			messages = json.loads(response.read().decode('utf-8'))
@ -346,7 +346,7 @@ class BadIPsAction(ActionBase):
 		try:
 			url = "/".join([self._badips, "add", self.category, aInfo['ip']])
 			if self.key:
-				url = "?".join([url, urlencode({"key", self.key})])
+				url = "?".join([url, urlencode({'key': self.key})])
 			response = urlopen(self._Request(url))
 		except HTTPError as response:
 			messages = json.loads(response.read().decode('utf-8'))
--- a/config/filter.d/oracleims.conf
+++ b/config/filter.d/oracleims.conf
@ -0,0 +1,61 @@
+# Fail2Ban configuration file
+# for Oracle IMS with XML logging
+#
+# Author: Joel Snyder/jms@opus1.com/2014-June-01
+#
+#
+
+
+[INCLUDES]
+
+# Read common prefixes.
+# If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages
+# in the logfile. The host must be matched by a
+# group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is
+# only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#
+# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
+#
+# In OPTION.DAT you must have LOG_FORMAT=4 and
+#  bit 5 of LOG_CONNECTION must be set. 
+#
+# Many of these sub-fields are optional and can be turned on and off
+# by the system manager.  We need the "tr" field
+#  (transport information (present if bit 5 of LOG_CONNECTION is
+# set and transport information is available)).
+# "di" should be there by default if you have LOG_FORMAT=4.
+# Do not use "mi" as this is not included by default.
+#
+# Typical line IF YOU ARE USING TAGGING ! ! ! is:
+# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
+# sc="tcp_local" dr="+" ac="U"
+# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
+# mi="Bad password"
+# us="01ko8hqnoif09qx0np@imap.opus1.com"
+# di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# Format is generally documented in the PORT_ACCESS mapping 
+# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
+#
+# All that would be on one line.
+# Note that you MUST have LOG_FORMAT=4 for this to work!
+#
+
+failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -32,7 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
-            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$

 ignoreregex = 

--- a/config/jail.conf
+++ b/config/jail.conf
@ -739,3 +739,11 @@ action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
 enabled  = false
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+maxretry = 6
+banaction = iptables-allports
--- a/fail2ban/server/failmanager.py
+++ b/fail2ban/server/failmanager.py
@ -84,7 +84,7 @@ class FailManager:
 		finally:
 			self.__lock.release()

-	def addFailure(self, ticket, count=1, observed = False):
+	def addFailure(self, ticket, count=1, observed=False):
 		try:
 			self.__lock.acquire()
 			ip = ticket.getIP()
@ -141,7 +141,7 @@ class FailManager:
 		if self.__failList.has_key(ip):
 			del self.__failList[ip]
 	
-	def toBan(self, ip = None):
+	def toBan(self, ip=None):
 		try:
 			self.__lock.acquire()
 			for ip in ([ip] if ip != None and ip in self.__failList else self.__failList):
--- a/fail2ban/server/observer.py
+++ b/fail2ban/server/observer.py
@ -29,10 +29,6 @@ import time, logging
 import threading
 import os, datetime, math, json, random
 import sys
-if sys.version_info >= (3, 3):
-	import importlib.machinery
-else:
-	import imp
 from .mytime import MyTime

 # Gets the instance of the logger.
--- a/fail2ban/tests/files/logs/oracleims
+++ b/fail2ban/tests/files/logs/oracleims
@ -0,0 +1,19 @@
+# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE:
+#
+# In OPTION.DAT you must have LOG_FORMAT=4 and
+#  bit 5 of LOG_CONNECTION must be set. 
+#
+# Many of these sub-fields are optional and can be turned on and off
+# by the system manager.  We need the "tr" field
+#  (transport information (present if bit 5 of LOG_CONNECTION is
+# set and transport information is available)).
+# "di" should be there by default if you have LOG_FORMAT=4.
+#
+# failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" }
+<co ts="2014-06-02T22:02:13.94" pi="72a9.3b4.3774" sc="tcp_submit" dr="+" ac="U" tr="TCP|192.245.12.223|465|23.122.129.179|60766" ap="SMTP/TLS-128-RC4" mi="Authentication successful - switched to channel tcp_submit" us="jaugustine@example.org" di="235 2.7.0 LOGIN authentication successful."/>
+# failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" }
+<co ts="2014-06-02T16:06:33.99" pi="72aa.17f0.25622" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|89.96.245.78|4299" ap="SMTP" mi="Bad password" us="nic@transcend.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" }
+<co ts="2014-06-02T10:08:07.56" pi="123f.8e2.9022" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|71.95.206.106|56591" ap="SMTP" mi="Bad password" us="romeo.julieta@opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" }
+<co ts="2014-06-02T09:54:58.82" pi="123f.715.7116" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|151.1.71.144|58406" ap="SMTP" mi="Bad password" us="01ko8hqnoif09qx0np@imap.opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@ -137,6 +137,11 @@ Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353
 # failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "from gh-457" }
 Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth]

+# failJSON: { "match": false }
+Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 on 127.0.0.1 port 22
+# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "Multiline match with interface address" }
+Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth]
+
 # failJSON: { "match": false }
 Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locked
 # failJSON: { "match": false }
--- a/files/bash-completion
+++ b/files/bash-completion
@ -154,7 +154,7 @@ _fail2ban () {
                    fi
                    return 0
                    ;;
-                delfailregex|delignoregex)
+                delfailregex|delignoreregex)
                    COMPREPLY=( $( compgen -W \
                        "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
                    -- "$cur" ) )